Help Center/ Elastic Cloud Server/ Best Practices/ Setting Up an Application/ Using auditd to Record File Changes (Linux)
Updated on 2024-07-31 GMT+08:00

Using auditd to Record File Changes (Linux)

The auditd is a user-space component of the Linux audit system. It records operation logs, including file read/write and invoking records, in the OS, which can be used for audit if a fault occurs. This section uses CentOS 7.4 64bit as an example to describe how to install and configure auditd.

auditd-related Tool Commands and Configuration Files

Tool commands:

  • auditctl: controls the audit daemon in real time, such as adding rules.
  • aureport: checks and generates audit reports.
  • ausearch: searches for audit events.
  • auditspd: forwards event notifications to other applications instead of writing them to audit logs.
  • autrace: traces processes.

Configuration files:

  • /etc/audit/auditd.conf: specifies configuration file of auditd.
  • /etc/audit/rules.d/audit.rules: contains audit rules.
  • /etc/audit/audit.rules: records audit rules.

Procedure

Installing auditd

  1. Run the following command to install auditd:

    yum install -y auditd*

    After auditd is installed for the first time, there are no audit rules by default. You can run the sudo auditctl -l command to query the audit rules.

  2. Run the following command to check the runtime status of auditd:

    service auditd status

    Figure 1 Runtime status

Configuring audit rules

  1. Run the following command to configure the monitoring file and change the directory:

    auditctl -w /etc/passwd -p rwxa

    where:

    • -w: specifies the file path to be monitored. The preceding command specifies the monitored file path /etc/passwd.
    • -p: specifies the access permission of the file or directory that triggers the audit.
    • rwxa: specifies trigger conditions. r indicates the read permission, w the write permission, x the execution permission, and a the attribute.
  2. Run the following commands to audit all accesses to /production:

    mkdir production

    auditctl -w /production/

  3. Run the following command to check configured rules:
    auditctl -l
    -w /etc/passwd -p rwxa
    -w /production -p rwxa
  4. After rules are added, run the following command to check the audit log:

    ausearch -f /etc/passwd

    Figure 2 Checking the audit log

    Figure 2 shows that the file is not modified. The parameters are described as follows:

    • time: audit time
    • name: audit object
    • cwd: current path
    • syscall: related system calls
    • auid: ID of the audited user
    • uid and gid: user ID and user group ID for accessing a file
    • comm: command for a user to access a file
    • exe: file path where the preceding command can be executed
  5. Run the following command to add a user test to the monitoring file:

    useradd test

  6. Run the following command to check the audit log again:

    ausearch -f /etc/passwd

    Figure 3 Checking the audit log again

    Figure 3 shows that /etc/passwd is modified by user root (uid=0, gid=0) in the /root directory at a specified time. The /etc/passwd file is accessed from /usr/bin/sudo.

  7. Run the following command to check whether the audit log contains any content:

    ausearch -f /production

  8. Run the following commands to change the directory permissions as user root and check the audit log again:

    chmod -R 777 /test/

    ausearch -f /test/

  9. Run the following command to view the audit report:

    aureport

    Figure 4 Viewing the audit report
  10. Run the following command to view the authorization failure details:

    aureport -au

    Figure 5 Viewing authorization failure details
  11. Run the following command to view all events related to account modifications:

    aureport -m

    Figure 6 Viewing account modification events
  12. (Optional) Run the following commands to clear the defined rules:

    auditctl -D

    auditctl -l

    Figure 7 Clearing defined rules